Bounty Hunters Spying on You? The FCC Doesn't Care

January 11, 2019

Gaurav

Original photo by Flickr user Sascha Kohlmann

The internet has been buzzing this week with the latest breaking privacy scandal.

Major U.S. cellular carriers like AT&T, Sprint and T-Mobile have been selling their customers’ location information, letting it fall into the hands of actual bounty hunters according to reporting from Vice’s Motherboard. For just $300 a reporter was able to track down the location of a cellphone to within just a few hundred meters:

“The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location ....

“Queens, New York. More specifically, the screenshot showed a location in a particular neighborhood—just a couple of blocks from where the target was. The hunter had found the phone (the target gave their consent to Motherboard to be tracked via their T-Mobile phone).

“The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.”

How was this possible?

Buried in many wireless carriers’ customer-privacy policies is a provision that allows them to sell access to their customers’ location information. These providers then sell that information to data brokers, advertising networks, banks and other (supposedly) “reputable” companies.

But once those wireless carriers sell that information, they lose track of it as it travels down the supply chain, often ending up in nefarious hands.

Companies like AT&T have touted the benefits of sharing their customers’ location information, claiming that it helps with “important, potential lifesaving services like emergency roadside assistance” and that less-than-savory uses, like selling that information to bounty hunters, would “violate our contract and Privacy Policy.”

Yet these privacy scandals keep happening and all these companies can offer are empty promises that they’ll assess their practices and change them (maybe). Next time, they always insist in their apology tour, things will be different.

It’s clear that the major telcos can’t be trusted. The truth is that as long as there’s money to be made by selling their customers’ information to third parties, self-regulation will never work.

How is this legal?

There's a litany of failures, starting with the FCC.

These kinds of mobile voice cellular services are still classified as telecommunications services under Title II of the Communications Act (as ISPs were too, until Chairman Ajit Pai overturned the Net Neutrality rules). The FCC has a legal obligation under Section 222 of the Act to make sure that telecommunications carriers protect their customers’ proprietary information — including location information.

Rules governing how mobile carriers must protect that information have been in effect for over 10 years. The Commission still has ample authority to deal with this problem, and it could if it weren’t asleep at the wheel. (And at the moment, if it weren’t for the Trump shutdown hindering all sorts of essential government functions too.)

The FCC updated those rules in 2016 under then-Chairman Tom Wheeler, further clarifying that these same privacy protections applied to mobile internet services too; that location information was sensitive; and that carriers could use it only to help provide telecommunications service unless the customer opted in to sharing it with third parties.

Carriers like AT&T lobbied hard against those protections, and President Trump signed a Congressional Review Act (CRA) repealing the additional regulations in 2017.

But the bedrock law and the rules protecting a telecom customer’s information are still on the books.

That means that the FCC still has ample authority to investigate and prevent these wireless-carrier abuses, despite the fact that the GOP-led Congress and the Pai FCC did so much over the last two years to strip away the agency’s rightful authority over broadband internet-access service. It’s unconscionable that Chairman Pai has abdicated his responsibilities and failed to protect people.

Even with the FCC’s Net Neutrality and Title II repeal for broadband — and even with the congressional CRA that torpedoed the FCC’s broadband-privacy rules — the agency could still act here and now. Yet the Pai FCC has been remarkably unwilling to enforce its own rules and has shown little interest in protecting wireless customers from these kinds of abuses.

The FCC likely can't investigate the kinds of sketchy data aggregators that bought this location information and eventually sold it to bounty hunters, but the Federal Trade Commission could investigate these dishonest and unfair practices under its Section 5 authority.

Wireless carriers have failed to police their own contracts and to protect their customers’ privacy. There's profit to be made in trafficking this kind of information. So long as regulators and Congress ignore the problem and wireless companies chase profits at all costs, these abuses will likely continue.

What can we do?

The FCC needs to rein in these mobile carriers and end these practices. Google, Facebook and other internet giants are huge threats to our privacy too, but as we’ve said all along so are cable and phone companies that already know so much about us and are itching to make even more money off of that data.